web 服务器+虚拟主机+用户认证+ssl

一、安装httpd

[root@station68 yum.repos.d]# yum list all |grep http

Unable to read consumer identity

httpd.i386 2.2.3-63.el5 base

httpd-devel.i386 2.2.3-63.el5 base

httpd-manual.i386 2.2.3-63.el5 base

jakarta-commons-httpclient.i386 1:3.0-7jpp.1 base

jakarta-commons-httpclient-demo.i386 1:3.0-7jpp.1 base

jakarta-commons-httpclient-javadoc.i386 1:3.0-7jpp.1 base

jakarta-commons-httpclient-manual.i386 1:3.0-7jpp.1 base

mockobjects-alt-httpclient.i386 0.09-14jpp.3 base

mockobjects-httpclient.i386 0.09-14jpp.3 base

system-config-httpd.noarch 5:1.3.3.3-1.el5 base

[root@station68 yum.repos.d]# yum install httpd -y

[root@station68 ~]# rpm -ql httpd ##可以查看安装httpd所生成的文件

[root@station68 ~]# service httpd start ###启动服务

Starting httpd: [ OK ]

[root@station68 ~]# netstat -tnlp ##查看监听的80端口是否启用

clip_image002

用浏览器测试如图

clip_image004

删除配置文件中的welcome.conf就可以不再显示此网页

[root@station68 ~]# cd /etc/httpd/conf.d/

[root@station68 conf.d]# ls

proxy_ajp.conf README welcome.conf

[root@station68 conf.d]# rm welcome.conf

rm: remove regular file `welcome.conf'? y

[root@station68 conf.d]# service httpd restart ##重启服务

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

刷新浏览器如图所示

clip_image006

提供网页内容

[root@station68 conf.d]# cd /var/www/html/

[root@station68 html]# ls

[root@station68 html]# vim wang.html ##编辑网页

<html>

<title>Hi</title>

<h1>Hello</h1>

My name is wangxin.

</html>

刷新浏览器

clip_image008

点击网页文件

clip_image010

二、创建虚拟主机

首先要在主配置文件中取消中心主机

[root@station68 ~]# cd /etc/httpd/conf

[root@station68 conf]# vim httpd.conf

clip_image011

clip_image012

[root@localhost ~]# vim /etc/httpd/conf.d/virtual.conf

clip_image014

[root@localhost ~]# ip addr add 172.16.86.3/16 dev eth0 ##为eth0再添加一个IP地址

[root@localhost ~]# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

link/ether 00:0c:29:b7:af:f1 brd ff:ff:ff:ff:ff:ff

inet 172.16.86.2/16 brd 172.16.255.255 scope global eth0

inet 192.168.113.2/24 brd 192.168.113.255 scope global eth0:0

inet 172.16.86.3/16 scope global secondary eth0

修改配置文件监听8080端口

[root@station68 conf]# vim httpd.conf

clip_image015

重启服务:

clip_image016

测试网页:

clip_image018

clip_image020

clip_image022clip_image024clip_image026

自定义日志文件只需在配置文件中添加一项即可

[root@localhost ~]# vim /etc/httpd/conf.d/virtual.conf

clip_image028

[root@localhost a.org]# cd /var/log/httpd/

[root@localhost httpd]# ls

access_log access_log.1 error_log error_log.1 error_log.2

[root@localhost httpd]# mkdir magedu.com a.org

[root@localhost httpd]# ls

access_log access_log.1 a.org error_log error_log.1 error_log.2 magedu.com

[root@localhost httpd]# chown apache:apache magedu.com/ a.org/ ##修改属主和属组

[root@localhost httpd]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

测试网页:

clip_image030

clip_image032

登录成功:

clip_image034

拒绝IP访问的设置:

[root@localhost ~]# vim /etc/httpd/conf.d/virtual.conf

clip_image036

[root@localhost httpd]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

网页测试:

clip_image038

三、ssl的实现

1、要想使web服务器支持ssl功能就要先安装mod_ssl模块

[root@www ~]# yum install mod_ssl �Cy #安装mod_ssl模块

[root@www ~]# rpm -ql mod_ssl #查看生成的文件

/etc/httpd/conf.d/ssl.conf

/usr/lib/httpd/modules/mod_ssl.so

/var/cache/mod_ssl

/var/cache/mod_ssl/scache.dir

/var/cache/mod_ssl/scache.pag

/var/cache/mod_ssl/scache.sem

2、提供CA

另找一台主机作为CA

[root@localhost ~]# cd /etc/pki/

[root@localhost pki]# ls

CA entitlement nssdb product rpm-gpg tls

[root@localhost pki]# cd CA/

[root@localhost CA]# ls

Private

[root@mail CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) ##生成私钥

Generating RSA private key, 2048 bit long modulus

......................................+++

..........................................................................................+++

e is 65537 (0x10001)

[root@mail CA]# ls -l private/ ##查看属性

total 8

-rw------- 1 root root 1675 Apr 17 22:13 cakey.pem

[root@mail CA]#vim ../tls/openssl.cnf

clip_image040

[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 ##生成自签证书

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Henan]:

Locality Name (eg, city) [Zhengzhou]:

Organization Name (eg, company) [MageEdu]:

Organizational Unit Name (eg, section) [Tech]:

Common Name (eg, your name or your server's hostname) []:ca.magedu.com

Email Address []:[email protected]

[root@mail CA]# ls

cacert.pem private

[root@mail CA]# mkdir certs crl newcerts

[root@mail CA]# touch index.txt

[root@mail CA]# echo 01 > serial

[root@mail CA]# ls

cacert.pem certs crl index.txt newcerts private serial

[root@mail CA]#

切换到web服务器

[root@www ~]# cd /etc/httpd/

[root@www httpd]# mkdir ssl

[root@www httpd]# ls

conf conf.d htpasswd logs modules run ssl

[root@www ssl]# (umask 077; openssl genrsa 1024 > httpd.key) ##生成私钥

Generating RSA private key, 1024 bit long modulus

......++++++

....................++++++

e is 65537 (0x10001)

[root@www ssl]# ll

total 8

-rw------- 1 root root 891 Apr 17 22:36 httpd.key

[root@www ssl]# openssl req -new -key httpd.key -out httpd.csr ##生成证书签署请求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Henan

Locality Name (eg, city) [Newbury]:Zhengzhou

Organization Name (eg, company) [My Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:hello.magedu.com

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

把证书签署请求发给服务器

[root@www ssl]# scp httpd.csr 172.16.86.1:/tmp

The authenticity of host '172.16.86.1 (172.16.86.1)' can't be established.

RSA key fingerprint is 4a:07:84:06:7c:f9:9b:a2:8e:b1:d2:0a:b8:27:2c:ef.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.86.1' (RSA) to the list of known hosts.

[email protected]'s password:

httpd.csr 100% 704 0.7KB/s 00:00

切换到做CA的主机签署证书

clip_image042

复制证书到web服务器

[root@www ssl]# scp 172.16.86.1:/tmp/httpd.crt ./

[email protected]'s password:

httpd.crt 100% 3864 3.8KB/s 00:00

[root@www ssl]# ls

httpd.crt httpd.csr httpd.key

[root@www ssl]# cd /etc/httpd/conf.d/

[root@www conf.d]# ls

proxy_ajp.conf README ssl.conf virtual.conf welcome.conf.bak

[root@www conf.d]# vim ssl.conf ##编辑配置文件

clip_image044

clip_image046

[root@www conf.d]# httpd -t

Syntax OK

[root@www conf.d]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

切换到做CA的主机把/etc/pki/CA下的cacert.pem 给物理主机一份,并改名为cacert..crt 双击安装即可。

测试网页:

clip_image048

你可能感兴趣的:(服务器,用户,虚拟主机,identity)